Question Of The Week

May 12, 2016

Posted on by hortyspringer

QUESTION:        Several registrants at our recent Complete Course for Medical Staff Leaders in San Antonio asked related questions:  Where should quality concerns expressed by a Medical Staff member be documented (particularly when the physician who has been counseled about behavior that undermines a culture of safety has alleged that the counseling is retaliatory)?  And, how should collegial interventions be followed up?

ANSWER:            All quality concerns should be assessed and followed up.  Where the assessment and follow-up documentation is placed depends on the nature of the concerns. Allegations of retaliation are becoming very common, and likely to be used in the event of a professional review action in a hearing or litigation by an attorney for the physician.  Documenting that the concerns have been reviewed and, if there is merit to them, addressed may be critical to the defense of a professional review action.

No one – even a Medical Staff member – is entitled to confidential peer review information about how another professional may have been counseled or how a particular issue has been resolved if the resolution involves confidential information. Anyone reporting a concern should be advised that all concerns are taken seriously, but that confidentiality must be respected.

Documentation submitted by a physician who raised a concern can be maintained in that physician’s file along with brief documentation as to whom the concern was directed appropriately, depending on the nature of the concern.  If the concern led to changes in policy, and if that policy change is not a confidential peer review matter, that resolution could be maintained in several places, including in the physician’s file, and the physician informed of the outcome.  However, raising a concern does not justify behavior that is disrespectful of others or interferes with the delivery of care.  It is also important to document collegial interventions in a constructive way, thanking the physician for meeting, summarizing the key points of any meeting and expectations for behavior going forward, and inviting the physician to respond in writing for the file. If the behavior continues, documentation of progressive steps, perhaps leading to conditional reappointment, is important.

If a physician raises multiple concerns over time, that pattern in itself may become disruptive.  It can be tempting to “consider the source” and not take a complaint seriously if the concerns are raised by a physician whose behavior has been the subject of many reports by team members, and if that physician has a pattern of attributing leaders’ interventions as retaliatory.  Don’t succumb to that temptation!  Rise above it and remember that someday a hearing panel, the Board or even a judge may be reviewing your documentation.

May 5, 2016

Posted on by hortyspringer

QUESTION:        Can credentials and peer review information about a practitioner be shared with a sister hospital if the sister hospital has the same Board, but each has its own separate medical staff?  Should they?

ANSWER:            Hospitals that are affiliated under the same Board, in a system, can exchange information, although we recommend several steps to maximize legal protection, standardize the process, and quell any paranoia that may exist with regard to such sharing. We generally recommend including a provision in each hospital’s medical staff bylaws or credentials policy, as well as a statement on the application form, that the applicant understands that information will be shared among entities in the system and that the sharing of this information is not intended to be a waiver of the state peer review protection statute.  It is also a good idea to have a formal information-sharing agreement among the hospitals which clearly defines what information will be shared, when it will be shared, and to whom it will be forwarded – all of which is drafted in compliance with and with appropriate references to the state peer review statute.

As for whether the hospitals should share information, the answer is yes. Two hospitals under one Board would be considered one corporate entity.  Each individual hospital (or clinic, health plan, ambulatory surgery center and any other related facility) is part of that one entity.  Important to the medical staff leaders responsible for helping to maintain high standards of care through careful and thorough credentialing of physicians is the fact that because it is one entity, credentialers may be “deemed” to be making recommendations as to whether a specific practitioner is qualified and competent based on the collective knowledge of the entity as a whole, rather than the knowledge contained in an individual hospital.  The standard is the law – when it comes to doling out liability – that the credentialers “knew or should have known” the relevant information that came from the sister facility.

April 28, 2016

Posted on by hortyspringer

QUESTION:        We have an applicant who, technically, does not satisfy our threshold criteria.  But, we’re wondering if it’s really a big enough deal to justify keeping this physician off of our staff.  Specifically, this applicant had his license suspended six months ago, for 37 days, due to failure to comply with the tax code.  The physician disclosed the suspension on his application and included a narrative explanation, which basically stated that:

  • His wife failed to file the family’s tax returns for three years, without his knowledge. This resulted in him getting further behind in filing and caused tax penalties to add up.
  • He did not realize he had any tax delinquencies or that there was any problem with his license until his employer was notified that his license was suspended. He said mail delivery at his home has a history of being unreliable.
  • He resubmitted all ten years of tax returns that were requested by the taxing authority and was fully compliant with their investigation into the matter, once he knew there was a problem.
  • He paid the outstanding taxes and penalties due.
  • His license was reinstated after 37 days.

Our primary source verification of his license indicates the suspension and that it was due to failure to comply with the tax code.  Do we really need to make a “thing” out of this?  After all, how relevant is tax compliance to the practice of medicine?

ANSWER:            While you do need to make a “thing” out of this, that does not necessarily mean that this individual will not be able to join your medical staff.  A few things to consider when faced with an applicant like this, who does not satisfy your threshold criteria:

First, remember that the threshold criteria were developed through a process of careful deliberation by medical staff leaders and hospital representatives.  So, the legwork in determining whether an issue is a “big deal” with respect to medical staff membership and/or clinical privileges has already been done.  That decision need not be made on a case-by-case basis by those responsible for processing individual applications.

Further, the threshold criteria are part of the Bylaws or Credentials Policy and those documents should be followed.  Relatedly, the threshold criteria should be waived only if there is a waiver process set forth in the Bylaws or Credentials Policy (such provisions usually require a recommendation by the Credentials Committee and MEC and a final decision by the Board with respect to a waiver, before the application is then considered – if the waiver is granted).

As a general rule, waivers should be granted only if there are exceptional circumstances justifying the grant of a waiver.  The burden should be placed on the applicant to show that his or her qualifications are the same as or exceed those of individuals who satisfy the threshold criteria.  You do not need to show that you have good cause to keep an applicant out.  The applicant needs to show he or she is qualified to join your medical staff.  For example, failure to file tax returns and pay delinquent taxes calls into question an individual’s responsibility, veracity in documentation, honesty, and ability or willingness to comply with the rules.  And, so, the burden should be placed on the applicant to show that these things are not an issue before any waiver is granted.

Finally, just because you may not view tax noncompliance as a “big deal” does not mean you should not look at this issue with scrutiny, because it could raise other issues.  It may not.  But, you won’t know for sure until you look closely.  Consider the following issues, which you may wish to resolve before making a decision about a waiver:

  • Why did the applicant tell you that he did not know about the suspension of his license until his employer was notified? Is he preemptively explaining away the fact that he continued to practice on a suspended license – after notification from the state?
  • Is the applicant’s explanation reasonable and consistent? He says that he had no knowledge that his wife failed to file tax returns – and was not aware of the tax delinquency until his employer notified him that his license had been suspended.  But, he also stated that the wife’s failure to file tax returns caused him to “get behind” in filing.  If he did not know that his wife did not file returns, how could that have affected his filings in future years?
  • The applicant states that he was asked to provide 10 years of returns as part of the taxing authority’s investigation – but he stated that his wife only failed to file during three years. Why the inconsistency?
  • The applicant says that he was unaware of the problems with his taxes and license because of poor mail delivery at his address. That is very unusual and warrants additional follow-up.  Can the applicant provide any evidence that he has complained on prior occasions to the postmaster?  Does he have any evidence that mail and packages are returned to sender without delivery?  Does the applicant live in a very rural area, outside the bounds of normal civilization, where it may be reasonable to presume mail service is less consistent?

This may all seem like a lot of rigamarole for what looks like a simple, administrative oversight of a regular physician.  And, it may turn out to be.  But, sometimes, when situations like this arise, a little bit of scrutiny and digging reveals that the seemingly simple issue that was voluntarily revealed is actually a bigger issue than was being concealed.  It pays to do your homework up front.  So, put the burden on the applicant to fully explain and document his or her side of the story and then, given that information, consider whether his or her situation is so extraordinary that it justifies waiving your criteria.

April 21, 2016

Posted on by hortyspringer

QUESTION:        We received a HIPAA authorization form via e-mail, requesting a copy of the patient’s medical record for life insurance verification purposes.  There is no signature on the form – just a typewritten name and some information regarding when the electronic signature occurred.  Does this type of signature satisfy HIPAA’s requirement that authorization forms be “signed” by the patient?

ANSWER:           Yes.  The Health Insurance Portability and Accountability Act (“HIPAA”) does not require the signature on an authorization form to be physically placed there by the patient, signing with a pen.  Rather, so long as the applicable state (the state where the patient is located and/or the state where the hospital is located) recognizes an electronic signature as legally binding and valid, it is fine for the authorization form to be signed electronically.  In our experience, most states recognize electronic signatures as valid equivalents to signatures, for most purposes.  But, you should check with counsel and have them research the applicable state law, to be sure.

Note the following FAQ from the Department of Health and Human Services Office of Civil Rights’ web page at http://www.hhs.gov/hipaa/for-professionals/faq/554/how-do-hipaa-authorizations-apply-to-electronic-health-information/:

How do HIPAA authorizations apply to an electronic health information exchange environment?

The HIPAA Privacy Rule requires the individual’s written authorization for any use or disclosure of protected health information (PHI) not otherwise expressly permitted or required by the Privacy Rule.  For example, authorizations are not generally required to disclose PHI for treatment, payment, or health care operations purposes because covered entities are permitted to use and disclose PHI for such purposes, with few exceptions.  Thus, to the extent the primary purpose of any electronic health information exchange is to exchange clinical information among health care providers for treatment, HIPAA authorizations are unlikely to be a common method of effectuating individual choice for the exchange.  However, if the purpose of a covered entity sharing PHI through a health information organization is for a purpose not otherwise permitted by the Privacy Rule, then a HIPAA authorization would be required.  In such cases, the Privacy Rule would allow covered entities to disclose PHI pursuant to an electronic copy of a valid and signed authorization.  Further, the Privacy Rule allows HIPAA authorizations to be obtained electronically from individuals, provided any electronic signature is valid under applicable law.
Created 12/15/08

April 14, 2016

Posted on by hortyspringer

QUESTION:         I understand that the Department of Health & Human Services (“HHS”) has proposed that changes be made to the Federal Drug & Alcohol Regulations.  Those regulations haven’t been touched since 1987, nearly 30 years ago.  They’re the “gold standard” when it comes to medical record confidentiality.  What’s up with that?

ANSWER:            HHS described what’s up with that back in 2014 when it announced that it was holding a “public listening session” to allow interested parties the opportunity to share their views prior to HHS initiating changes to the federal regulations concerning drug and alcohol treatment medical records.

In its announcement, HHS acknowledged the tension between the current federal requirements regarding confidentiality and patient consent for such records to be shared and the need for providers to share such information in order to better coordinate care and control costs.  As HHS wrote:

“Over the last 25 years, significant changes have occurred within the U.S. health care system that were not envisioned by these regulations, including new models of integrated care that are built on a foundation of information sharing to support coordination of patient care, the development of an electronic infrastructure for managing and exchanging patient data, the development of prescription drug monitoring programs and a new focus on performance measurement within the health care system.  When the regulations were written, substance abuse treatment was primarily conducted by specialty treatment providers, and as a result, the impact on coordination of care was not raised as a core issue.

“[We have] heard from stakeholders that some of the current consent requirements make it difficult for these new health care organizations including health information exchange organizations (HIEs), Accountable Care Organizations (ACOs), and others to share substance abuse treatment information.”

Nonetheless, HHS also stated:  “[T]reatment for substance abuse disorders is still associated with discrimination.…There continues to be a need for confidentiality protections that encourage patients to seek treatment without fear of compromising their privacy.”

In February of this year, HHS, through the Substance Abuse and Mental Health Services Administration (“SAMHSA”), published these long-awaited drug and alcohol (“D&A”) proposed revised regulations.

It’s significant that HHS decided to open these D&A regulations to changes.  What we’ve been waiting for is to see how much they would change.

Bottom line:  The proposed revisions are most notable for what they do not do.  There is no landmark or revolutionary change in these proposed regulations.  SAMHSA retained the requirement that the patient has to consent to the sharing of electronic D&A records (“ED&A records”).  That means any covered D&A patient has the ability to prevent his or her ED&A records from being shared with a Health Information Exchange, for example.

Did SAMHSA make the right choice?  The American Hospital Association (the “AHA”) expressed its concerns about this approach in its comment letter on the proposed regulations dated April 5, 2016.  Retaining such strong patient consent protections, the AHA noted, requires health care providers to maintain a strict separation of a patient’s behavioral health-related data from other patient data.

As per the AHA:  “The separate privacy structure under [the proposed regulations] especially creates challenges for the integration of behavioral and physical health care simply because patient data related to behavioral health cannot be handled like all other health care data.  Estimates are that one in four Americans experiences a behavioral illness or substance use disorder each year, and the majority of these individuals have a co?morbid[ity] physical health condition.  Moreover, primary care has become the prevailing location for patients to receive treatment that addresses all their health needs, behavioral as well as medical.  Evidence confirms that integrating mental health, substance abuse and primary care services produces the best outcomes and proves the most effective approach to caring for people with multiple health care needs.”

The AHA also stated:  “Furthermore, at the highest stage of care integration, the focus is not merely on improving medical outcomes for individual patients but managing population health while reducing total costs for the overall health care delivery system.  To meet the needs of the many individuals with complex health needs, however, providers must be able to share patient behavioral health information as easily as information related to physical health for purposes of treatment, payment and health care operations.”

This is a situation in which conflicting needs very much collide.  We’ll see how SAMHSA resolves it when SAMHSA issues the final D&A Regulations later this year.

April 7, 2016

Posted on by hortyspringer

QUESTION:        Our physician practice is a separate entity that employs both physicians and non-physician practitioners (“NPPs”).  Many of the physicians bill the NPPs’ services as “incident-to” services.  Our compliance officer wants to audit the “incident-to” billing and wants to know if there is a simple, straightforward way to conduct such an audit.

ANSWER:            Unfortunately, the answer is no.

Medicare does not require that a physician use any type of identifier or modifier in order to identify “incident-to” services.  This became an issue for the OIG in its report entitled “Prevalence and Qualifications of Non-Physicians Who Performed Medicare Physician Services,” OEI-09-06-00430 (August 2009).

The OIG began this report by conceding that “little is known about Medicare services that are performed ‘incident-to’ the professional services of a physician.”  The OIG noted in several places that it has no simple means to determine what services NPPs are providing to Medicare beneficiaries or the qualifications of those NPPs when the services are billed under the “incident-to” rule.

The OIG also recognized that there are a number of limitations to its study and cautioned against extrapolating the conclusions reached in this Report to the Medicare program as a whole.  Nonetheless, it is clear that the Report’s description of what NPPs do, their credentials and how they provide services is instructive to both the OIG and to practices that utilize NPPs.

But before we discuss the OIG Report, let us examine the Medicare “incident-to” rule.  This rule permits a physician to bill Medicare Part B at the full physician fee schedule amount for the services that are performed by an NPP, if the services are:   (i) furnished to beneficiaries who are not inpatients of a hospital or SNF; (ii) commonly provided in a physician’s office; (iii) an integral though incidental part of the services provided by the physician; (iv) included in a treatment plan for an injury or illness where the physician performs an initial service and is involved actively in the course of treatment; (v) commonly furnished without charge or included in the physician’s bill; and (vi) provided under the “direct supervision” of the physician (i.e., the physician must be present in the office suite while the services are being provided and immediately available to provide assistance).

In this report, the OIG wanted to audit exactly what Medicare was paying for when the program reimbursed claims for services that were billed under the Medicare “incident-to” rules.  However, because “incident-to” claims cannot be identified on the face of the claim, the OIG had no simple or direct means to identify “incident-to” claims.

As a result, the OIG had to formulate a means to identify “incident-to” billing.  In order to do so, the OIG looked at all the physician claims submitted to the program during the first quarter of 2007 and converted the E and M codes billed to a period of time using the Medicare Fee Schedule average time associated with each service.  The OIG then identified physicians who billed more than 24 hours in a single day, reasoning that the only ways to do so were either fraud or using NPPs.

Using this methodology, the OIG identified over 200 physicians who had billed more than 24 hours of services in a single day.  The OIG excluded a few physicians who were being investigated for billing fraud.  However, the OIG then determined that billing more than 24 hours in a day was not a concern to the OIG so long as the physicians complied with the “incident-to” rule.

The OIG then sent an audit request to the physicians who were part of the study, requesting that they identify the services that were being provided by the non-physician practitioners and the qualifications of those non-physician practitioners.

While the OIG found that most services billed using the “incident-to” rules were appropriate and most non-physicians involved in the care of those services were authorized to provide the service under state law, the OIG expressed the concern that a significant percentage of “incident-to” services may be performed by unqualified non-physician practitioners, concluding:

Unqualified non-physicians performed 21 percent of the services that physicians did not perform personally.  In the first 3 months of 2007, Medicare allowed $12.6 million for approximately 210,000 services performed by unqualified non-physicians.  These non-physicians did not possess the necessary licenses or certifications, had no verifiable credentials, or lacked the training to perform the services.  Non-physicians with inappropriate qualifications performed 7 percent of the invasive services that physicians did not perform.

The OIG study shows that “incident-to” billing is an area that your compliance program should review.  However, the study also shows the difficulty involved in conducting such an audit.

While you could use the OIG’s methodology, it is probably easier to visit each practice to observe whether the physicians who bill under the “incident-to” rules are following the requirements of the rules and to make sure that the services provided by the NPPs are within the scope of their state license.

March 31, 2016

Posted on by hortyspringer


QUESTION:        Some Medical Staff members have asked to add the following disclaimer to their medical records:

Please note that this dictation was completed with computer voice?recognition software.  Quite often unanticipated grammatical, syntax, homophones, and other interpretive errors are inadvertently transcribed by the computer software.  Please disregard these errors.  Please excuse any errors that have escaped final proofreading.

Is this a good idea?

ANSWER:            No.  Such disclaimers probably increase a physician’s risk of liability.

This specific issue was addressed recently by WPS GHA, a Medicare contractor.  It provided the following guidance:

Disclaimers Used as Part of Physician’s Signature

WPS GHA has recently been informed of a new trend in medical record documentation – that of using some type of disclaimer.  Examples include the following:  ‘Due to possible errors in transcription, there may be errors in documentation’; ‘Due to voice recognition software, sound alike and misspelled words may be contained in the documentation’; and ‘I am not responsible for errors due to transcription.’ Providers are responsible for the medical record documentation.  Disclaimers such as those above do not remove that responsibility.  The provider should verify the information is complete and accurate prior to attaching his/her signature.[1]  (Emphasis added.)

We agree that a disclaimer will not shield a physician from liability for errors in the medical record.  It does not matter if the error is caused by voice recognition software or a transcriptionist.  The physician’s signature on the record is the physician’s confirmation that the information is accurate and complete.  A disclaimer cannot be used to evade that responsibility.

The guidance from WPS GHA makes clear that disclaimers cannot help physicians.  In fact, there is also reason to believe that such disclaimers will actually harm physicians.  If a disclaimer is used, an injured patient may claim in a malpractice suit that the physician was too busy to review the accuracy of the entry, or simply was unconcerned.

All health care professionals know that transcription errors in the medical record can harm patients.  This may explain why juries have no sympathy or tolerance for physicians who would attempt to use a disclaimer to avoid responsibility for closely reviewing the medical record before signing it.

Not only are juries offended by these disclaimers, but they offer an easy target for malpractice attorneys.  The following comment was posted on a message board regarding this issue:

I called some attorney contacts I have on BOTH sides of the courtroom (just to get THEIR take on the situation).  The defense attorneys I contacted DON’T want the disclaimer anywhere on the note.  The plaintiff attorneys I contacted LOVED the idea and then proceeded to tell me how they would ‘rip the author of those notes to shreds’ EVEN IF NO ERRORS WERE FOUND IN THE NOTE! They had some rather interesting approaches on how to discredit the author simply due to the presence of a disclaimer on a medical note.[2]

______________________

[1]               http://wpsmedicare.com/j8macpartb/departments/cert/signature-guidance.shtml

[2]               http://sci.med.transcription.narkive.com/9N0C52Rt/inserting-a-disclaimer-in-a-medical-report

March 24, 2016

Posted on by hortyspringer

QUESTION:       What’s all this I hear about HIPAA Phase 2 audits?

ANSWER:           The HHS Office of Civil Rights (“OCR”) announced this past Monday that it would soon be commencing HIPAA Phase 2 audits of selected HIPAA covered entities and their business associates. In its 2016 Phase 2 HIPAA Audit Program, OCR will review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.  These audits will primarily be desk audits, although some on-site audits will be conducted.

Information about the audits can be found at http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/phase2announcement/index.html.

Here are some things you should do right now to get ready in case you are one of the lucky ones who get audited:

  1. Make sure your hospital’s spam blocker will not block any e-mails from the following e-mail address: OSOCRAudit@hhs.gov  You will only be notified by e-mail if you are selected to be audited and then you will only have 10 business days to provide the information requested by OCR.  If the e-mail from OCR is blocked, you might get a call saying you failed to respond as required.
  1. Make sure all your privacy and security policies and procedures are up to date. They will almost certainly be requested if you are selected.
  1. Compile a list of all your business associates and their contact information. This will be requested as well.  Furthermore, you might want to notify your business associates that they may be contacted by OCR to be audited and, if they are, request that they let you know and fully cooperate with the auditors.  And while you’re at it, make sure your business associate agreements are properly executed and up to date.
  1. Conduct a mock audit. At the very least, your medical records, I.T., and compliance departments should be involved along with your Privacy Officer, senior management and legal counsel.  While the Phase 2 audit protocols have not been released yet, the Phase 1 protocols are available and can be helpful to prepare.

March 17, 2016

Posted on by hortyspringer

QUESTION:        Occasionally, a physician on our medical staff will want to treat a family member.   Medical staff leadership does not think this is a good idea, but we have not expressly addressed this in any of our documents.  If we allow it, can the physician bill for the services he provides to a family member?

ANSWER:           The American Medical Association (“AMA”) has taken a strong stance against the treatment of family members by a physician.  The AMA’s Opinions on Practice Matters, E-8.19 Self?Treatment or Treatment of Immediate Family Members, includes the following statement:

Physicians generally should not treat themselves or members of their immediate families. Professional objectivity may be compromised when an immediate family member … is the patient; the physician’s personal feelings may unduly influence his or her professional medical judgment, thereby interfering with the care being delivered. Physicians may fail to probe sensitive areas when taking the medical history or may fail to perform intimate parts of the physical examination. Similarly, patients may feel uncomfortable disclosing sensitive information or undergoing an intimate examination when the physician is an immediate family member…. If tensions develop in a physician’s professional relationship with a family member, perhaps as a result of a negative medical outcome, such difficulties may be carried over into the family member’s personal relationship with the physician….

Since this issue has come up, or even if it hasn’t, we recommend that you add language to your rules and regulations to address it.

With respect to your second question, it is important for physicians to know that they cannot bill Medicare for services provided to family members. Medicare policy clearly states that the treatment of certain family members is not to be reimbursed by Medicare or any Medicare Advantage program.  The following relationships are included in the definition of family members:

  • Husband and wife;
  • Natural or adoptive parent, child, and sibling;
  • Stepparent, stepchild, stepbrother, and stepsister;
  • Father-in-law, mother-in-law, son-in-law, daughter-in-law, brother-in-law, and sister-in-law;
  • Grandparent and grandchild; and
  • Spouse of grandparent and grandchild.

While this is a Medicare policy, many other insurance companies have adopted this as part of their contractual policies with providers.

March 10, 2016

Posted on by hortyspringer

QUESTION:        There is a lot of confusion among our medical staff leaders about the relationship between medical staff appointment and clinical privileges.  For example, it is common to hear members refer to “Active Staff Privileges.” How can we help educate them on the distinction between medical staff membership and clinical privileges?

ANSWER:            Many medical staff members confuse or intertwine these two important concepts, even though they are entirely separate.  A lot of this confusion likely originates from the fact that many medical staff bylaws define staff categories by referring to the clinical practice of the individuals who fall within those categories.  For example, it is quite common for the “Active Staff” to be defined to include those individuals who conduct at least 24 patient contacts annually.

As such, it is important that your bylaws speak to membership and clinical privileges as distinct concepts.  Membership relates to an individual’s participation in the hospital’s or medical staff’s functions (e.g., committee membership, the conduct of peer review and other leadership functions, etc.).  The staff category that an individual requests – and is assigned to – relates largely to how involved the individual will be in such functions.  Those categories associated with more active involvement come with greater rights (such as voting and holding office).

On the other hand, clinical privileges relate solely to the individual’s provision of clinical services at the hospital. They do not relate to an individual’s involvement in hospital and medical staff affairs and, in turn, are not tied to the individual’s staff category.  Accordingly, an individual may be a member of the medical staff, but have no privileges.  Conversely, an individual may have privileges, but not be a member of the active staff or even the medical staff (e.g., telemedicine providers).

Ensuring your bylaws documents make this distinction is a good first step in educating your medical staff on this issue.